b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                While Renowned for Its Forensic Capabilities,\n                    the Digital Evidence Program Faces\n                    Challenges and Needs More Controls\n\n\n\n                                           April 30, 2008\n\n                              Reference Number: 2008-10-106\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                   DEPARTMENT OF THE TREASURY\n                                                         WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                    April 30, 2008\n\n\n MEMORANDUM FOR CHIEF, CRIMINAL INVESTIGATION\n\n FROM:                           Michael R. Phillips\n                                 Deputy Inspector General for Audit\n\n SUBJECT:                        Final Audit Report \xe2\x80\x93 While Renowned for Its Forensics Capabilities,\n                                 the Digital Evidence Program Faces Challenges and Needs More\n                                 Controls (Audit # 200610029)\n\n This report presents the results of our review of the Field Services computer forensics portion of\n the Criminal Investigation (CI) Division Electronic Crimes Program (E-Crimes).1 The overall\n objective of this review was to determine whether E-Crimes properly controlled the collection\n and timely analysis of digital evidence in support of Internal Revenue Service (IRS) special\n agents. This audit was included in our Fiscal Year 2007 Annual Audit Plan and related to the\n Major Management Challenges of tax compliance initiatives and taxpayer protection and rights.\n\n Impact on the Taxpayer\n While E-Crimes enjoys an excellent reputation throughout the law enforcement community for\n digital evidence forensics, the absence of some Program-level processing controls has created\n risks that could compromise investigations in worst-case scenarios. As the volume of digital\n evidence significantly increases, the IRS must ensure that it treats this evidence properly and\n consistently to secure its admissibility in court.\n\n Synopsis\n E-Crimes\xe2\x80\x99 prominence in the investigative process has grown quickly, primarily because\n evidence of financial crimes is increasingly stored on computers, on portable electronic media,\n and at Internet storage facilities. Approximately 100 Computer Investigative Specialist (CIS)\n\n\n 1\n     Appendix IV presents a Glossary of Terms used in the report.\n\x0c                    While Renowned for Its Forensic Capabilities, the Digital\n                 Evidence Program Faces Challenges and Needs More Controls\n\n\n\nagents stationed across all field offices provide technical expertise on digital evidence during the\ncourse of IRS criminal investigations.\nWe believe that the CIS agents\xe2\x80\x99 reputation for expertise and self-reliance has led E-Crimes to\nforgo establishing some common and necessary internal controls. For example, digital evidence\nis not backed up offsite, CIS agents are not required to keep a detailed record of their activities\nrelating to an investigation, and digital or physical evidence in the possession of CIS agents is\nnot periodically validated.\nWhile our audit objective did not include a detailed assessment of the forward-looking strategies\nto maintain and advance the E-Crimes digital evidence program, we identified issues that could\nbecome problematic without management\xe2\x80\x99s attention, as demand for E-Crimes\xe2\x80\x99 services\nincreases. The continued conversion of experienced special agents to CIS agents could intensify\nstaff attrition concerns, requiring the CI Division to balance the need to have sufficient human\ncapital resources to work criminal investigative priorities with the growing need for CIS agents.\nIn addition, the Division\xe2\x80\x99s initiative to develop a new information technology infrastructure is\nconsidered essential to advancing digital evidence processing capabilities. Although information\ntechnology oversight is in place, the CI Division needs to ensure that non-technological risks are\nidentified and systemically mitigated and that contingency plans are prepared, in case the new\nsystem does not provide the expected operational benefits or is delayed. Finally, the change to\nthe supervisory structure for CIS agents will expand the administrative responsibilities of Area\nLead Investigators, which must be considered when determining an effective span of control.\nGrand jury secrecy rules precluded our review of whether E-Crimes analyzed digital evidence in\na timely manner or followed appropriate legal provisions when seizing and processing digital\nevidence. The CI Division could not provide us with documentation or information relating to\nany grand jury investigation, which was the prevalent type of investigation in our audit\xe2\x80\x99s scope.\nWithout such access, we could not satisfy our responsibility under generally accepted\ngovernment auditing standards to obtain sufficient, appropriate audit evidence to provide a\nreasonable basis for findings and conclusions in these two areas.\n\nRecommendations\nWe recommended that the Director, Electronic Crimes, protect digital evidence by\n1) implementing a near-term disaster avoidance plan for digital data, 2) developing effective\nquality control guidelines and documentation standards for the forensic process, and 3) clarifying\nthe role of the management information system as an evidence inventory control subject to\nperiodic validation. In addition, we recommended that the Chief, Criminal Investigation, assess\nchallenges to maintaining and advancing the digital evidence program by 1) testing the option of\nusing non-law enforcement positions to benefit the field office role, 2) assigning responsibility to\na task force or project management team regarding development of and contingency\nmanagement for non-technological aspects of technology modernization, and 3) continuing to\n                                                                                                   2\n\x0c                    While Renowned for Its Forensic Capabilities, the Digital\n                 Evidence Program Faces Challenges and Needs More Controls\n\n\n\nassess the span of control for first-line supervisors as the recently approved direct-line authority\nis implemented and experienced.\n\nResponse\nIRS management agreed with Recommendations 2 through 6 and partially agreed with\nRecommendation 1. E-Crimes plans to 1) establish policy directives to require periodic\nvalidation of evidence data through supervisory operational reviews, 2) review its standard\noperating procedures annually, and 3) conduct operational reviews to develop quality control and\ndocumentation standards to include in future policy directives. In addition, the CI Division will\nmonitor, re-evaluate, and adjust the span of control for the newly created direct-line supervisory\npositions as needed after standup of the organization. The CI Division will also ensure that\nproject management teams for the information technology infrastructure project remain in\ncompliance with the risk management process.\nHowever, the CI Division believes that the information technology infrastructure project is\nnear-term enough to facilitate the disaster avoidance plan we recommended, dependent on\nappropriate funding being available. Therefore, the CI Division does not agree that a distinct,\nnear-term plan should be implemented prior to the completion of the information technology\ninfrastructure project. The CI Division will continue to identify roles that can be accommodated\nwith non-law enforcement personnel at E-Crimes\xe2\x80\x99 centralized support sites. However, the\nDivision continues to believe that its current model of having experienced agents as CIS agents\nis most prudent and does not agree that non-law enforcement personnel can be considered for\nfield offices. Management\xe2\x80\x99s complete response to the draft report is included as Appendix VI.\n\nOffice of Audit Comment\nIn two instances, we do not believe that the CI Division\xe2\x80\x99s corrective actions address the concerns\nin our recommendations. The Division plans to begin building data centers for the long-term\ndata backup solution when funding is available. However, that will be only the start of\nimplementation, not the completion. Funding for the data centers is scheduled for Fiscal Years\n2009 and 2010, but funding for technology initiatives is dependent on the budget and might be at\nrisk of not being fully approved. Without interim procedures, risks that could materialize from\nincidents or disasters will continue to exist over the next 2 years, or longer if the system is\ndelayed. In addition, if the option of blending non-law enforcement personnel with experienced\nagents in the field is not piloted, CI Division management will be missing a valuable opportunity\nto maximize resources and minimize the risk of continued conversion of experienced special\nagents to CIS agents, thus exacerbating staff attrition concerns.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\n\n                                                                                                       3\n\x0c                  While Renowned for Its Forensic Capabilities, the Digital\n               Evidence Program Faces Challenges and Needs More Controls\n\n\n\nNancy A. Nakamura, Assistant Inspector General for Audit (Headquarters Operations and\nExempt Organizations Programs), at (202) 622-8500.\n\n\n\n\n                                                                                        4\n\x0c                          While Renowned for Its Forensic Capabilities, the Digital\n                       Evidence Program Faces Challenges and Needs More Controls\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 4\n          The Electronic Crimes Program Has Not Established Sufficient\n          Controls to Protect Digital Evidence ............................................................Page 4\n                    Recommendation 1:........................................................Page 8\n\n                    Recommendations 2 and 3: ..............................................Page 9\n\n          The Electronic Crimes Program Faces Challenges in Maintaining\n          and Advancing Its Digital Evidence Program ..............................................Page 9\n                    Recommendations 4 and 5: ..............................................Page 14\n\n                    Recommendation 6:........................................................Page 15\n\n          Grand Jury Secrecy Rules Precluded an Effective Review of\n          Data Analysis Timeliness or Application of Seizure Provisions ..................Page 15\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 17\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 20\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 21\n          Appendix IV \xe2\x80\x93 Glossary of Terms................................................................Page 22\n          Appendix V \xe2\x80\x93 Electronic Crimes Program Post-of-Duty Map.....................Page 25\n          Appendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 26\n\x0c              While Renowned for Its Forensic Capabilities, the Digital\n           Evidence Program Faces Challenges and Needs More Controls\n\n\n\n\n                          Abbreviations\n\nCI                  Criminal Investigation\nCIS                 Computer Investigative Specialist\nE-Crimes            Electronic Crimes Program\nECMIS               Electronic Crimes Management Information System\nIRS                 Internal Revenue Service\n\x0c                       While Renowned for Its Forensic Capabilities, the Digital\n                    Evidence Program Faces Challenges and Needs More Controls\n\n\n\n\n                                             Background\n\nThe Electronic Crimes Program (E-Crimes) provides guidance and resources in securing,\ndocumenting, processing, maintaining, and presenting digital evidence1 in support of\nInternal Revenue Service (IRS) criminal investigations. E-Crimes was established as a formal\norganizational component in 2001.2 Since then, its role in the Criminal Investigation (CI)\nDivision\xe2\x80\x99s law enforcement investigative process has expanded beyond digital data forensics at\nthe field office level to include broad involvement in developing innovative uses of information\ntechnology. At the same time, there has been a large increase in demand for the more traditional\nmission of supporting the field office special agents in the collection and analysis of digital\nevidence. The digital evidence forensics services were the scope of this review.\nThe E-Crimes Field Services Program guides the\nefforts of approximately 100 special agents             The IRS enjoys an excellent reputation in\ndesignated as computer investigative specialists         the digital evidence forensics area. For\n(CIS agents), who are stationed across all                example, in 2004 an industry journalist\nCI Division field offices to provide technical          described   the IRS as arguably having the\nexpertise during the course of investigations.         most  sophisticated   and efficient computer\n                                                         forensics teams, which are emulated by\nThe CIS agents are not the lead IRS case agents                other government agencies.\nfor criminal investigations. Conceptually, they\ncan be described as co-agents on a case. The\ndegree to which digital data exist as a potential source of evidence in a particular investigation\ndictates the extent to which one or more CIS agents are involved in an investigation.\nCIS agents often extract and secure digital evidence from computers and other data storage\ndevices when conducting court-approved search warrants at a person\xe2\x80\x99s residence, business, or\nother property.3 The CI Division policy for collecting electronic records is to \xe2\x80\x9cimage\xe2\x80\x9d\ninformation from a computer or other data device onto Federal Government digital hard drives\nbut not to confiscate the electronic devices unless necessary. CIS agents will take possession of\nphysical components only if they encounter problems accessing the data onsite or if a device\nitself is needed as evidence. CIS agent expertise includes using specialized equipment and\n\n\n1\n  Appendix IV presents a Glossary of Terms used in the report.\n2\n  E-Crimes was structured to integrate previously distinct Criminal Investigation Division programs under a\ncommon mission; establish program authority with a separate budget; and establish Headquarters-level guidance,\npolicy, and direction.\n3\n  Not every investigation requires the execution of a search warrant. A person in possession of digital evidence can\nvoluntarily consent to allow the IRS to search for and collect data. Other ways to obtain digital evidence without\nexecution of a search warrant include a subpoena or summons, a witness or an informant, or an intercept from the\nInternet.\n                                                                                                             Page 1\n\x0c                    While Renowned for Its Forensic Capabilities, the Digital\n                 Evidence Program Faces Challenges and Needs More Controls\n\n\n\ntechniques to preserve digital evidence and to recover encrypted, password-protected, or hidden\nfinancial data. Normally, CIS agents will analyze the digital data collected and convert extracted\nevidence into a useable format for the investigating case agents. The information provided to\ncase agents can include common word processing and spreadsheet files, database files,\ncollections of image files, email system content, or even the creation of a virtual workstation that\nsimulates the specific computer environment as it existed at the time of the data seizure.\nPrior to establishment of E-Crimes, expertise and experience in computer technology had\nevolved in a decentralized manner, as agents provided technical support for field office\noperations. Tactical, day-to-day control of CIS agents remained with the respective local Special\nAgents in Charge. This supervisory arrangement continued after E-Crimes began operations.\nHowever, part of the restructuring involved the addition of geographically based Area Lead\nInvestigators who report to the E-Crimes Headquarters Field Services Program, monitor CIS\nagents\xe2\x80\x99 workloads, and provide oversight and functional supervision to ensure proper coverage\nwithin their respective areas for all activities requiring the assistance of an electronic crimes\ninvestigator. A diagram of the posts-of-duty for E-Crimes personnel is presented in Appendix V.\nBecause initial collection of digital data can require the efforts of several CIS agents working at\nthe same site or simultaneously at multiple sites, large degrees of coordination and cooperation\nare necessary among individual CIS agents in the same vicinity and, at times, on a nationwide\nbasis. This coordination is a significant part of an Area Lead Investigator\xe2\x80\x99s responsibilities in the\nField Services Program.\nE-Crimes\xe2\x80\x99 prominence in the investigative process has grown quickly, primarily because\nevidence of financial crimes is increasingly stored on computers, on portable electronic media,\nand at Internet storage facilities. E-Crimes estimated that the volume of digital data seized by\nCIS agents increased tenfold between Fiscal Years 2001 and 2003, and the upward trend has\ncontinued each year since (see Figure 1). This growth in volume represents hundreds of search\nwarrants and the contents of thousands of data storage devices seized as evidence. E-Crimes\nmanagement considers the increasing volume of digital evidence, which requires the use of\nspecialized technical resources to support modern criminal investigations, as a major challenge\nto the Program.\n\n\n\n\n                                                                                              Page 2\n\x0c                                             While Renowned for Its Forensic Capabilities, the Digital\n                                          Evidence Program Faces Challenges and Needs More Controls\n\n\n\n                                            Figure 1: Digital Data Seized Yearly by E-Crimes\n              Terabytes of Digital Data\n\n\n                                          150\n\n\n                                          100\n\n\n                                           50\n\n\n                                            0\n                                                    2001         2002         2003         2004         2005         2006\n                                                 Estimated                       Fiscal Year\n\n                                                Terabyte is a measurement term for data capacity equal to one trillion bytes.\n\n        Source: Totals calculated by the CI Division E-Crimes management information systems.\n\nWe performed this review at the Electronic Crimes Technology and Support Center laboratory\nin Springfield, Virginia, and at IRS office locations within the Baltimore, Maryland;\nBoston, Massachusetts; and Oakland, California, field offices during the period November 2006\nthrough August 2007. We conducted this performance audit in accordance with generally\naccepted government auditing standards. However, due to grand jury secrecy rules, we could not\nsatisfy the Field Work Standard regarding sufficient, competent, and relevant evidence for some\nof our audit sub-objectives. The final section of the report presents an additional explanation of\nthe scope limitation. Standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. Except for the areas affected by grand jury limitations, we believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on our\naudit objective. Detailed information on our audit objective, scope, and methodology is\npresented in Appendix I. Major contributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                                                                Page 3\n\x0c                    While Renowned for Its Forensic Capabilities, the Digital\n                 Evidence Program Faces Challenges and Needs More Controls\n\n\n\n\n                                Results of Review\n\nThe Electronic Crimes Program Has Not Established Sufficient\nControls to Protect Digital Evidence\nWe believe that the CIS agents\xe2\x80\x99 reputation for expertise and self-reliance has led E-Crimes to\nforgo establishing some common and necessary internal controls. While CIS agents are\nrenowned for their processing of digital evidence, the absence of specific Program-level controls\nhas created risks that could compromise investigations in worst-case scenarios. The ultimate\nvalue of evidence in a criminal investigation is its admissibility in court. The process used by\nCIS agents to collect and secure digital data must protect the original image from inadvertent\ndamage and allow the data analysis results to be authenticated as having come from the exact\ndata that were initially obtained. Comprehensive internal controls are a means for ensuring that\ndata are protected.\nSince 2005, E-Crimes has used a task force to\n                                                        The computer forensics principles that\ncreate and periodically revise standard operating      CIS agents are trained in are the basis for\nprocedures for the handling of digital evidence.               the processes they follow.\nE-Crimes personnel explained that the\nprocedures were intentionally general enough to\naddress the basic steps in collecting and processing digital evidence, without restricting the\nflexibility needed for each investigation\xe2\x80\x99s circumstances. Because of the experience and\nprofessional training that CIS agents have, E-Crimes management did not believe that they\nneeded to, or could, dictate in detail how CIS agents should do their jobs. However, we believe\nthat some procedures do not warrant being designated as discretionary actions and should not be\nomitted from the standard operating procedures.\n\nDigital evidence is not backed up offsite\nCIS agents were not safeguarding a backup copy of the original evidence at a secure, offsite\nlocation. CIS agents made working copies of the digital data for analysis purposes, reserving the\noriginal images for any forensic authentication purpose that could become necessary to\nsuccessfully prosecute the case. Both the original evidence images and the working copies were\nroutinely stored within or near the CIS agents\xe2\x80\x99 workspaces. CIS agents retain custody of and\nsafeguard the original digital evidence images from the time they are collected during a search\nwarrant, or obtained through consent, until the completion of the investigation and any\nsubsequent judicial actions.\n\n\n\n                                                                                            Page 4\n\x0c                    While Renowned for Its Forensic Capabilities, the Digital\n                 Evidence Program Faces Challenges and Needs More Controls\n\n\n\nDisaster avoidance and continuity principles\n                                                       Digital images are normally written to and\nrequire that effective data backup procedures           stored on digital hard drives similar to\ninclude moving copies of critical data to an          this example. Multiple images might fit on\noffsite location that would not be affected by a       one hard drive, depending on their sizes.\nlocal catastrophic event such as fire, flood,\nnatural disaster, sprinkler system malfunction,\nvandalism, or other intentional destructive acts.\nThe location of the facility where the original\nevidence is stored can also increase the\nimportance of offsite data backup. During our\ninterviews, we observed that two of eight CIS\nagent workspace locations were below ground\nlevel. The IRS experienced the consequences of\nthe risk inherent in below-ground facilities when its National Headquarters building was severely\nflooded in 2006. Data backup measures help to avoid situations that might otherwise cause loss\nof data, significant recovery expenses, decreased prosecution potential, or, ultimately, a loss of\nconfidence in E-Crimes\xe2\x80\x99 reputation.\nE-Crimes management does value the concept of having an effective data storage and archival\nsystem for their Program. As described in a later section of the report, E-Crimes expects to\nimplement within the next few years an information technology solution that would provide for\ndual location storage of digital evidence. However, in the current environment, E-Crimes\nmanagement considers offsite backup for all digital images to be cost-prohibitive because the\nduplication of images would require additional physical space, equipment, data storage devices,\nand staff resources.\nHowever, backup measures do not have to be costly or time-consuming. The most basic offsite\nbackup process might require only data hard drives, which have become relatively inexpensive,\nand shipping postage for transport to another E-Crimes location. Digital hard drives can be\nrecycled when data are subsequently determined to not warrant backup. In addition, E-Crimes\ncould consider moving the current original evidence images to an offsite location to avoid the\nstep of creating an additional copy. We believe that E-Crimes should identify interim procedures\nto help minimize or eliminate risks that could materialize from incidents or disasters.\n\nCIS agents are not required to keep a detailed record of their activities relating to\nan investigation\nWhile documentation principles are part of computer forensics training, the absence of specific\nbaseline requirements in E-Crimes\xe2\x80\x99 standard operating procedures has left the methods and\nsubstance for documenting case activity during the course of an investigation to the discretion of\nindividual CIS agents. The reporting requirement in the standard operating procedures simply\nstates that CIS agents write memoranda and reports, as necessary, to document activities and to\ntransmit the results of digital evidence analysis throughout the investigative and judicial\n                                                                                            Page 5\n\x0c                       While Renowned for Its Forensic Capabilities, the Digital\n                    Evidence Program Faces Challenges and Needs More Controls\n\n\n\nprocesses. Our interviews revealed a variety of opinions held by CIS agents as to the necessity\nfor case documentation. Most stated that they did not keep detailed written documentation to\nsupport their analyses or review results.\nSeveral risks are inherent when careful records are not kept. Possible situations include 1) a CIS\nagent having to duplicate the analyses if it subsequently becomes necessary to provide detailed\ndocumentation or 2) difficulty in reassigning ongoing work to different CIS agents after analysis\nhas begun. A practice of preparing reports only when necessary could prove detrimental to the\ninvestigation, with the passage of months or years between a CIS agent\xe2\x80\x99s analysis, recollections\nabout such, and an eventual referral for prosecution.\nE-Crimes must be prepared to help a prosecutor\nestablish both the admissibility and\npersuasiveness of digital evidence. The Justice           The Justice Department concluded \xe2\x80\x9ca\n                                                          well-documented case is much more\nDepartment National Institute of Justice has              likely to result in a guilty plea, saving\nissued a series of guides for law enforcement                valuable prosecutorial and court\nagencies that suggest general principles for                            resources.\xe2\x80\x9d\nhandling digital evidence.4 These guidelines are\nnot mandated or official policy, but they\nrepresent the consensus of a computer forensics working group convened to consider common\nsituations encountered during the examination of digital evidence. Repeated throughout these\npublications is the principal that documentation should be an ongoing process during the forensic\nexamination. Digital forensics examiners should fully document all actions taken to process\ndigital evidence and make examination notes available for review, discovery, or testimony\npurposes. The guidelines also suggest preparing a written report at the conclusion of an\nexamination that outlines the process and pertinent data recovered. The rationale for these\nsuggestions is that the examiner might need to testify about not only the conduct of the\ninvestigation but also the validity of the forensic procedures used.\nE-Crimes management considered the responsibility for creating reasonably relevant processing\nnotes to be inherent in computer forensic principles the CIS agents are trained in. E-Crimes\nmanagement did not want to dictate a burdensome degree of documentation and report-writing\nrequirements throughout an investigation because CIS agents collaborate with case agents as the\ntheory of investigation evolves and provide additional digital evidence analysis as needed.\nManagement expects CIS agents to provide for accurate recollection during the course of the\ninvestigation in the form of processing notes of steps taken, automated logs kept in forensic\n\n\n4\n Publications of the United States Department of Justice, National Institute of Justice: Electronic Crime Scene\nInvestigation: A Guide for First Responders (July 2001) (www.ojp.usdoj.gov/nij/pubs-sum/187736.htm),\nForensic Examination of Digital Evidence: A Guide for Law Enforcement (April 2004)\n(www.ojp.usdoj.gov/nij/pubs-sum/199408.htm), and Digital Evidence in the Courtroom: A Guide for Law\nEnforcement and Prosecutors (January 2007) (www.ojp.usdoj.gov/nij/pubs-sum/211314.htm).\n                                                                                                            Page 6\n\x0c                    While Renowned for Its Forensic Capabilities, the Digital\n                 Evidence Program Faces Challenges and Needs More Controls\n\n\n\nprocessing applications, and written transmittals to case agents. Management believes that lack\nof adherence to this principle would be a performance issue for supervisors to address.\nE-Crimes management stated that the issue involves how to define proper documentation and\nwhat form it should take throughout an investigation. We believe that E-Crimes\xe2\x80\x99 resistance to\nspecifying those requirements has resulted in an environment in which documentation principles\nmight not always be followed. For example, several E-Crimes personnel commented that the\npossibility of discovery during a trial was a reason for CIS agents to avoid maintaining detailed\nnotes about their digital evidence processing. The concern was that if processing notes exist that\nthe defense could review, there could be an opportunity for the defense to challenge the process\nin some manner. E-Crimes management agrees that to purposefully not make or retain notes for\nthat reason is inappropriate and is not the policy of the E-Crimes Program.\nWe believe that E-Crimes should clearly set forth requirements in its standard operating\nprocedures to ensure that properly documented case records support CIS agent activity at the\ntime the analyses are conducted.\n\nDigital or physical evidence in the possession of CIS agents is not periodically\nvalidated\nCIS agents input information about digital images and other electronics-related evidence to the\nE-Crimes management information system (ECMIS). While the ECMIS, which was launched at\nthe beginning of Fiscal Year 2006, was designed to provide evidence inventory accounting and\ncase tracking information, the system has not yet evolved into a complete inventory control to\naccount for digital data or to record disposition of the data. Inventory control principles require a\nperiodic and independent validation of the physical condition of the items under control and\nreconciliation to inventory records to ensure the accuracy and reliability of the system.\nExceptions identified through inventory controls can include missing and uncontrolled items.\nOver the past several years, the CI Division has worked on some of the most notorious financial\ncrime investigations in history, investigations that arguably contributed to fundamental changes\nto our economy and society. We believe that digital hard drives containing confidential and\nsensitive information, especially for cases of high national law enforcement priority, would be\nvaluable items of contraband in the hands of an errant employee. In the worst case, only a single\ninstance of compromised data in a high-profile investigation could damage the Federal\nGovernment\xe2\x80\x99s reputation and provide a way to mount a defense against criminal charges.\nChain-of-custody principles require CIS agents to maintain the integrity of evidence in its\noriginal condition and to ensure that the evidence is not lost, stolen, or altered in the months or\nyears between the time obtained and any judicial proceedings. During a seizure action, the IRS\nprepares a search warrant inventory list that itemizes everything it has taken, including any\ndigital images and electronics-related items. These lists are maintained in each investigation\xe2\x80\x99s\ncase documentation. However, CI Division policy states that seized records and documentary\nevidence, including digital images, are not required to be tracked in the main IRS automated\n                                                                                              Page 7\n\x0c                       While Renowned for Its Forensic Capabilities, the Digital\n                    Evidence Program Faces Challenges and Needs More Controls\n\n\n\naccounting system.5 E-Crimes created the ECMIS to provide its own automated controls over\ndigital evidence. E-Crimes personnel told us during our interviews that they entered evidence\nitems in the ECMIS to capture workload attributes such as the location of the data when seized,\nthe kinds of devices the data came from, and the digital size of the data.\nTo determine if the ECMIS was capable of tracking the electronic evidence inventory, we\nconducted a limited comparison of ECMIS evidence records to digital evidence on hand at the\nlocations we visited. We were able to verify that 322 evidence items were present with the\nassigned CIS agents, as reflected in the ECMIS, and an additional 40 items had been disposed of\nor moved to a different location. If accountability for E-Crimes evidence was controlled,\ninformation on the 40 items would need to be updated. We believe that it is feasible for\nE-Crimes to use its existing evidence inventory database information for accountability purposes.\nThis would represent an important control in monitoring the original digital evidence.\n\nRecommendations\nRecommendation 1: The Director, Electronic Crimes, should implement a near-term disaster\navoidance plan for digital evidence in the possession of E-Crimes personnel, until a long-term\nplan is developed based on future technology advancements.\n         Management\xe2\x80\x99s Response: The IRS agreed, in part, with the recommendation. In\n         Fiscal Year 2009, E-Crimes plans to transition from the proof-of-concept testing stage to\n         the implementation stage of its long-term information technology infrastructure project\n         for the safe, efficient, and redundant storage of digital data. The CI Division believes that\n         the information technology infrastructure project is near-term enough to facilitate the\n         disaster avoidance plan in the recommendation. Implementation of this, or any, solution\n         is dependent on appropriate funding.\n         Office of Audit Comment: We do not believe that this corrective action addresses the\n         concerns stated in our recommendation. The CI Division agreed that digital evidence is\n         not backed up offsite but did not agree that a distinct, near-term disaster avoidance plan\n         should be implemented prior to completion of the information technology infrastructure\n         project. The Division plans to begin building data centers for the long-term solution\n         when funding is scheduled to be available at the beginning of Fiscal Year 2009.\n         However, that will be only the start of implementation, not the completion. Funding for\n         the data centers is scheduled for Fiscal Years 2009 and 2010, but funding for technology\n         initiatives is dependent on the budget and might be at risk of not being fully approved.\n\n\n\n5\n For financial accounting reasons, seized currency, firearms, and property items that meet a specific minimum\ndollar value are required to be subject to systemic tracking. Digital evidence and traditional paper evidence are not\nconsidered to have any dollar value.\n                                                                                                              Page 8\n\x0c                    While Renowned for Its Forensic Capabilities, the Digital\n                 Evidence Program Faces Challenges and Needs More Controls\n\n\n\n       Without interim procedures, risks that could materialize from incidents or disasters will\n       continue to exist over the next 2 years, or longer if the system is delayed.\nRecommendation 2: The Director, Electronic Crimes, should include effective quality\ncontrol guidelines and documentation standards in the E-Crimes standard operating procedures\napplicable to personnel nationwide.\n       Management\xe2\x80\x99s Response: The IRS agreed with the recommendation. In\n       March 2008, E-Crimes issued revised standard operating procedures that address\n       documentation standards applicable to the seizure and processing of digital evidence.\n       E-Crimes plans to review the standard operating procedures annually. In addition, with\n       the transition to direct-line management, E-Crimes plans to conduct operational reviews\n       to develop quality control and documentation standards to include in future policy\n       directives.\nRecommendation 3: The Director, Electronic Crimes, should clarify the role of the ECMIS\nas an evidence inventory control and require a periodic evidence reconciliation and validation in\nthe E-Crimes standard operating procedures.\n       Management\xe2\x80\x99s Response: The IRS agreed with the recommendation. With the\n       recent transition to direct-line management of CIS agents within the Field Services\n       Program, E-Crimes plans that one of the areas of focus for supervisors will be periodic\n       validation of evidence data through operational reviews. E-Crimes plans to cover the\n       requirements for such reviews and other administrative matters through forthcoming\n       policy directives.\n\nThe Electronic Crimes Program Faces Challenges in Maintaining and\nAdvancing Its Digital Evidence Program\nOur audit objective did not include a detailed assessment of the CI Division\xe2\x80\x99s forward-looking\nstrategies to maintain and advance the E-Crimes digital evidence program as the demand for\nE-Crimes\xe2\x80\x99 services increases. However, we identified three challenges that warrant management\nattention before they become problematic:\n   \xe2\x80\xa2    The continued conversion of experienced special agents to CIS agents could intensify\n        staff attrition concerns.\n   \xe2\x80\xa2    The initiative to develop a new information technology infrastructure is considered\n        essential to advancing digital evidence processing capabilities.\n   \xe2\x80\xa2    The change to the supervisory structure for CIS agents will expand the administrative\n        responsibilities of Area Lead Investigators.\n\n\n\n                                                                                           Page 9\n\x0c                    While Renowned for Its Forensic Capabilities, the Digital\n                 Evidence Program Faces Challenges and Needs More Controls\n\n\n\nThe continued conversion of experienced special agents to CIS agents could\nintensify staff attrition concerns\nThe CI Division selects from its pool of experienced special agents who have demonstrated\ninformation technology skills when filling CIS agent positions. Gaining an experienced agent in\nthe CIS agent position benefits the E-Crimes program but might represent a detriment to the field\noffice that loses the experienced special agent from its ranks. The CI Division prefers this\nmethod of in-house staffing as opposed to having technically educated, but non-law enforcement,\npersonnel perform digital evidence analyses. E-Crimes believes that the CIS agent\xe2\x80\x99s job is not\nonly to preserve, extract, and analyze the digital evidence but also to know what to look for, what\nquestions to ask, and how to prepare evidence for a trial. In addition, because they are law\nenforcement agents, CIS agents can carry firearms, execute warrants, and perform searches and\nseizures.\nWe agree with E-Crimes\xe2\x80\x99 contention that the law\nenforcement background makes experienced                    Selection as a CIS agent dedicates a\nspecial agents likely to be the best possible CIS        special agent to a collaborative support\nagents. However, we believe that the accelerated           role and removes him or her from the\ngrowth in the volume of digital evidence in the                   primary case agent role.\ninvestigative process warrants reconsideration of\nthe alternative of also hiring technologically\neducated, but non-law enforcement, personnel to blend with experienced agents and fill some\naspects of the field office CIS agent role. Because of uncertainty as to how high the volume of\ndigital data seized will rise, how long special agent attrition will exceed hiring authority, and\nhow successful technological solutions will be in maximizing the use of CIS agent resources, we\nbelieve that the CI Division will have to balance the need to have sufficient human capital\nresources to work criminal investigative priorities with the growing need for CIS agents.\nFigure 2 shows our estimate that nearly one-half of the CIS agents and Area Lead Investigators\non rolls at the beginning of Calendar Year 2007 will be eligible to retire by the end of 2012,\nbased on retirement eligibility dates. Under the current selection process, agents selected to\nreplace retiring CIS agents will be taken from the pool of experienced field office investigative\nagents.\n\n\n\n\n                                                                                           Page 10\n\x0c                                             While Renowned for Its Forensic Capabilities, the Digital\n                                          Evidence Program Faces Challenges and Needs More Controls\n\n\n\n                                                  Figure 2: Forecast of Retirement Eligibility\n              Percentage of 2007 Roster\n\n\n\n\n                                                                                                           49%\n                                                                                                40%\n                                                                                  30%\n                                                        23%          23%\n                                           17%\n\n\n                                           2007        2008          2009         2010          2011       2012\n                                                     Cumulative Portion Eligible at End of Calendar Year\n\n         Source: Our comparison of the E-Crimes Personnel Roster (January 2007) to retirement eligibility\n         dates in the Department of the Treasury automated personnel system.\n\nSince 2002, overall attrition has exceeded or matched overall hiring in the CI Division due to\nbudgetary limitations. At the time of our audit, the CI Division anticipated losing about\n150 special agents in each of the next 2 years, and it expected to hire only 46 and 48 new agents\nin Fiscal Years 2007 and 2008, respectively. The attrition of human capital is a significant\nmanagement challenge affecting many parts of the IRS, not just the CI Division. In the past\n2 years, we have expressed our concern that the loss of experienced special agents might\nadversely affect the overall levels of and improvements in productivity that the CI Division had\nbeen experiencing.6 In this environment, we believe that E-Crimes should determine whether a\ndeviation from its policy of in-house CIS agent recruiting is warranted, especially over the longer\nterm. In addition, E-Crimes should contact other digital forensics functions to identify best\npractices in staffing and recruiting.\n\nThe initiative to develop a new information technology infrastructure is\nconsidered essential to advancing digital evidence processing capabilities\nThe CI Division has started an initiative to develop a technological solution because it continues\nto encounter increasing volumes of digital evidence. To monitor the planning, development, and\nimplementation milestones of new technology solutions, the CI Division has established an\nInformation Technology Executive Steering Committee and Governance Process. This Process\nprovides oversight to the technological aspects of the planned infrastructure, but it is not\ndesigned to focus on how the infrastructure will affect non-technological aspects. The\n\n\n6\n Statistical Portrayal of the Criminal Investigation Function\xe2\x80\x99s Enforcement Activities From Fiscal Year 2000\nThrough Fiscal Year 2006 (Reference Number 2007-10-083, dated June 6, 2007).\n                                                                                                                  Page 11\n\x0c                      While Renowned for Its Forensic Capabilities, the Digital\n                   Evidence Program Faces Challenges and Needs More Controls\n\n\n\nGovernment Accountability Office has issued guidance for agencies to include comprehensive\nrisk management as a key element when undertaking new projects, including the initiative\xe2\x80\x99s\nimpact on non-technological elements (people, processes, physical infrastructure).7\nThe CI Division has obtained funding for its initiative in the IRS Information Technology\nModernization Vision and Strategy for Fiscal Years 2009 and 2010. If prototype testing is\nsuccessful, the proposed system will include the buildout of 2 full-scale digital evidence data\ncenters, estimated at the time of our audit to exceed $3 million each. The data centers will store\nand archive digital evidence, perform analysis, and deliver results electronically to case\ninvestigators in field offices nationwide. The system will leverage state-of-the-art information\ntechnology to use available E-Crimes resources to meet the increasing need to exploit digital\nevidence in complex financial investigations. The data centers will change the handling of\ndigital data but not eliminate the need for the cadre of CIS agents in the field office locations to\ncapture the data at their sources.\nAs acknowledged in the Modernization Strategy,\nthe IRS has had some difficulty with its overall\n                                                         The IRS should have contingency plans,\ninformation technology modernization. Indeed,           in case the new system does not provide\nhistory shows that Federal Government                       the expected operational benefits.\ntechnology initiatives are prone to various risks\nthat influence the predictability of the eventual\ntimeliness or functionality of a project. For other CI Division technology initiatives, task forces\nhave been created to assist in the projects\xe2\x80\x99 formulation.8 Task force members represented\nvarious levels of the organization: managers, special agents, support positions, and information\ntechnology specialists. At the time of our review, such a task force had not been formed for the\ndata center initiative. We believe that in addition to the formal IRS information technology\noversight in place, the CI Division needs a task force to ensure that 1) non-technological risks are\nidentified and systematically mitigated, 2) personnel are prepared for process changes that will\naccompany the new system, and 3) contingency plans are prepared, in case the new system does\nnot provide the expected operational benefits or is delayed. This initiative is a significant\nchallenge because E-Crimes officials believe that the advancement of digital evidence processing\ncapabilities is essential to maintaining the CI Division\xe2\x80\x99s ability to conduct effective\ninvestigations as technology advances.\n\n\n\n7\n  \xe2\x80\x9cKey IT System Acquisition Best Practices\xe2\x80\x9d identified and reported by the Government Accountability Office:\nInformation Technology: DOD\xe2\x80\x99s Acquisition Policies and Guidance Need to Incorporate Additional Best Practices\nand Controls, Appendix II (GAO-04-722, dated July 2004) or Information Technology: FBI Following a Number of\nKey Acquisition Practices on New Case Management System, but Improvements Still Needed, Appendix II\n(GAO-07-912, dated July 2007).\n8\n  The Investigative Data Analytics Project and the Scanning and Document Management Project, as noted in the\nCriminal Investigation Business Performance Report (dated March 31, 2007).\n                                                                                                    Page 12\n\x0c                                           While Renowned for Its Forensic Capabilities, the Digital\n                                        Evidence Program Faces Challenges and Needs More Controls\n\n\n\nThe change to the supervisory structure for CIS agents will expand the\nadministrative responsibilities of Area Lead Investigators\nAt the time of our audit, E-Crimes was proposing the formal transfer of supervisory\nresponsibility for the approximately 100 CIS agents from field office managers to a direct line of\nauthority within E-Crimes. This change in management structure was approved by the Chief, CI,\non October 24, 2007, and will be implemented over the following several months. The rationale\nfor this proposal was that E-Crimes would manage CIS agent resources better than field office\nmanagers who have had no formal training in computer forensics or the peculiarities of digital\nevidence. In addition, the E-Crimes reorganization proposal outlined the need to add one more\nArea Lead Investigator position to address the span of control disparity.9 Figure 3 shows that\ntwo of the seven Area Lead Investigator positions had significantly more CIS agents to oversee\nthan their counterparts.\n                                        Figure 3: Span of Control for Area Lead Investigators\n\n                                        25\n                 Number of CIS Agents\n\n\n\n\n                                        20\n                                                                                           20\n                                                                                      18        10-14 Span\n                                        15\n                                                                                                Suggested in\n                                                                    14      14                  the E-Crimes\n                                        10                   13                                 Supervision\n                                             10     11                                          Proposal\n\n                                         5\n\n                                         0\n                                                         Seven Geographic ALI Areas\n\n              Source: E-Crimes Personnel Roster (January 2007). ALI = Area Lead Investigator.\n\nOur interviews with personnel in one of the two high span-of-control areas revealed that the\nhigher number of agents and larger geographic coverage issues significantly limited detailed\nsupervisory oversight of the CIS agents. Consequently, the Area Lead Investigator had to rely\non the proficiency of the CIS agents to perform their duties without close supervisory\ninvolvement. E-Crimes personnel advised us that this situation could become even more\nchallenging as the number of digital evidence seizures continues to rise at an exponential rate,\npotentially bringing with it the need for additional CIS agents in the future.\n\n\n\n9\n The proposal also establishes a new name and personnel system codes to replace the non-supervisory Area Lead\nInvestigator positions with expanded supervisory positions.\n                                                                                                               Page 13\n\x0c                    While Renowned for Its Forensic Capabilities, the Digital\n                 Evidence Program Faces Challenges and Needs More Controls\n\n\n\nBecause implementation of direct-line authority between CIS agents and Area Lead Investigators\nwill create additional administrative responsibilities for Area Lead Investigators as the official\nfirst-line managers, we are concerned that achieving the proper degree of supervisory\ninvolvement will remain a challenge after the management restructuring. We believe that\nE-Crimes should conduct an online assessment as the new management structure is implemented\nto ensure that the spans of control, both geographically and staffing related, do not jeopardize the\nuniform management of the digital forensics program.\n\nRecommendations\nRecommendation 4: The Chief, CI, should ensure that E-Crimes tests the option of using\nnon-law enforcement positions to benefit the digital evidence field office role.\n       Management\xe2\x80\x99s Response: The IRS agreed with the recommendation. The\n       CI Division believes that non-law enforcement personnel should be considered where\n       feasible to support or augment the role of CIS agents in the field locations. However, the\n       CI Division is unsure how the recommended option of using non-law enforcement\n       positions to benefit the digital evidence field office role can be tested. It has considered\n       this option but continues to believe that the current model of having experienced special\n       agents as CIS agents is most prudent due to the technological, legal, investigative, and\n       financial requirements of the CIS agent position. However, the CI Division will continue\n       to identify roles that can be accommodated with non-law enforcement personnel at the\n       E-Crimes support center as well as the data centers.\n       Office of Audit Comment: We do not believe that this corrective action addresses the\n       concerns stated in our recommendation. The CI Division agreed to continue considering\n       non-law enforcement personnel for centralized support positions but did not agree that\n       non-law enforcement personnel can be considered for positions in field offices to benefit\n       the digital evidence role of CIS agents. If the option of blending non-law enforcement\n       personnel with experienced agents in the field is not piloted, CI Division management\n       will be missing a valuable opportunity to maximize resources and minimize the risk of\n       continued conversion of experienced special agents to CIS agents, thus exacerbating staff\n       attrition concerns.\nRecommendation 5: The Chief, CI, should ensure that E-Crimes specifically assigns to a\ntask force or project management team the responsibility of having a structured and documented\nrisk management process for the information technology infrastructure project to address non-\ntechnological aspects and contingency plans.\n       Management\xe2\x80\x99s Response: The IRS agreed with the recommendation. The\n       CI Division already has in place an information technology project management team as\n       well as an internal E-Crimes team composed of management officials, CIS agents, and\n       technical experts. The CI Division believes that these teams comply with the risk\n\n                                                                                            Page 14\n\x0c                       While Renowned for Its Forensic Capabilities, the Digital\n                    Evidence Program Faces Challenges and Needs More Controls\n\n\n\n        management process that was recommended and will ensure that the teams remain in\n        compliance.\nRecommendation 6: The Chief, CI, should ensure that E-Crimes continues to assess the\nscope of the responsibilities of the revised Area Lead Investigator positions as direct-line\nauthority is implemented and experienced to determine an effective span of control that\naddresses long-term organizational needs.\n        Management\xe2\x80\x99s Response: The IRS agreed with the recommendation. The\n        CI Division will monitor the issue, re-evaluate the span of control for the newly created\n        direct-line management position after standup of the organization, and adjust the span of\n        control if needed.\n\nGrand Jury Secrecy Rules Precluded an Effective Review of Data\nAnalysis Timeliness or Application of Seizure Provisions\nBecause of grand jury secrecy rules,10 the CI Division could not provide us with documentation\nor information relating to grand jury investigations. Without such access, we could not satisfy\nour responsibility under generally accepted government auditing standards to obtain and evaluate\nsufficient audit evidence to support conclusions as to whether E-Crimes analyzed digital\nevidence in a timely manner or followed appropriate legal provisions when seizing and\nprocessing digital evidence. We do not provide any assurances or recommendations in these two\nareas.\nThis grand jury scope limitation is prevalent in our audits of the CI Division. Due to the nature\nof non-tax crimes within the CI Division\xe2\x80\x99s jurisdiction, most investigations are conducted jointly\nwith at least one other Federal Government law enforcement agency and use the grand jury\nprocess to facilitate the investigations. The CI Division\xe2\x80\x99s position, based on advice from the IRS\nOffice of Chief Counsel, Division Counsel/Associate Chief Counsel (Criminal Tax),11 was that\nwhen the classification of material as grand jury or non-grand jury is in question, the ultimate\ndecision to release information rests with the attorney for the Federal Government (such as the\nUnited States Attorney\xe2\x80\x99s Office or other pertinent Department of Justice official). We did not\nget permission to review supporting documents on grand jury investigations from the applicable\nUnited States Attorney Offices for the IRS field offices we visited.\nAs a result, the scope of cases subject to our review of supporting documentation consisted of\nonly 11 non-grand jury investigations (9 were in a single field office, and 6 were assigned to a\nsingle CIS agent), as opposed to our planned audit sample scope of 30 investigations from\n\n\n10\n   Federal Rules of Criminal Procedure, 18 U.S.C. Appendix Rule 6 (2005) state that persons shall not disclose\nmatters occurring before the grand jury.\n11\n   A function within the IRS Office of Chief Counsel responsible for providing legal guidance.\n                                                                                                          Page 15\n\x0c                   While Renowned for Its Forensic Capabilities, the Digital\n                Evidence Program Faces Challenges and Needs More Controls\n\n\n\n3 dispersed field offices. We did not observe anything noteworthy in the case actions when we\nreviewed the documentation for the 11 non-grand jury investigations.\nThe legal provisions applicable to the seizure of digital evidence in criminal investigations are\nbased on the Fourth Amendment to the United States Constitution and other statutory privacy\nlaws. CIS agents help to ensure that appropriate legal requirements are met by assisting the\nspecial agents in drafting search warrant applications with proper language to describe computer\nhardware, software, peripherals, and data stored within the computers to be seized.\nSubsequently, CIS agents must comply with any warrant and local judicial time requirements for\ntimely review or return of seized media evidence within the scope of the warrant. Even in the\nabsence of judicial requirements, E-Crimes strives for digital evidence analysis to be completed\nwithin a short period to minimize the elapsed calendar days for an investigation.\n\n\n\n\n                                                                                         Page 16\n\x0c                       While Renowned for Its Forensic Capabilities, the Digital\n                    Evidence Program Faces Challenges and Needs More Controls\n\n\n\n                                                                                                 Appendix I\n\n          Detailed Objective, Scope, and Methodology\n\nThe objective of this review was to determine whether the CI Division E-Crimes1 properly\ncontrolled the collection and timely analysis of digital evidence in support of IRS special agents.\nTo accomplish this objective, we planned to evaluate internal controls regarding the processing\nof digital data obtained by E-Crimes and to review documentation supporting the activity of the\nE-Crimes CIS agents during their assignments.\nAs discussed in the final section of the audit report, grand jury secrecy rules limited the scope of\nour review for two sub-objectives in our audit plan. The scope limitation meant that we could\nnot conduct some planned tests in accordance with the generally accepted government auditing\nstandard regarding the Field Work Standard for Performance Audits. This Standard relates to\nour need to have sufficient audit evidence with which to provide a reasonable basis for findings\nand conclusions. Because we could not have access to any documentation of CIS agent activity\non grand jury investigations, we could not conclude whether E-Crimes analyzed digital evidence\nin a timely manner or followed appropriate legal provisions when seizing and processing digital\ndata.\nTo accomplish the audit objective, we:\nI.      Evaluated internal controls relating to digital evidence obtained or seized by CIS agents.\n        A. Reviewed the Internal Revenue Manual, the standard operating procedures, and other\n           guidance relating to securing and analyzing digital evidence.\n        B. Used a copy of the ECMIS2 data as of January 12, 2007, to establish the population of\n           digital evidence assignments in which CIS agents were involved during Fiscal\n           Year 2006. We considered the reliability of data contained in the ECMIS to be\n           undetermined in terms of completeness and accuracy. However, we determined that\n           using the data for informational purposes would not weaken our analysis or lead to an\n           incorrect or unintentional message.\n\n\n\n\n1\n  Appendix IV presents a Glossary of Terms used in the report.\n2\n  At the time of our audit, E-Crimes considered the ECMIS to still be in pilot status. E-Crimes had only recently\ncompleted a validation effort to gain confidence in the content of the ECMIS, after launching the System subsequent\nto the beginning of Fiscal Year 2006.\n                                                                                                         Page 17\n\x0c                      While Renowned for Its Forensic Capabilities, the Digital\n                   Evidence Program Faces Challenges and Needs More Controls\n\n\n\n        C. Observed the physical environments for digital evidence analysis and storage during\n           onsite visits to three selected field offices.3\n             1. Judgmentally selected the Baltimore, Maryland; Boston, Massachusetts; and\n                Oakland, California, field offices as audit sites, based on ECMIS data that\n                indicated high totals for the number of investigations assisted on, number of\n                evidence items seized, and volume of digital data seized. We also considered\n                whether some of the investigations were potentially non-grand jury investigations\n                and ensured that the selected locations were geographically dispersed. At least\n                three different CIS agents within each selected field office had been the primary\n                CIS agent for several digital analysis investigations during Fiscal Year 2006.\n             2. Judgmentally selected for visitation the posts-of-duty for three Area Lead\n                Investigators and nine CIS agents, located in eight cities, within the three selected\n                field offices. We did not physically visit other CIS agent posts-of-duty within\n                those field offices because they were in outlying geographical locations, were\n                staffed by less experienced CIS agents, or could not be scheduled during the time\n                of our visit.\n        D. Interviewed each selected Area Lead Investigator and CIS agent to gain their\n           perspectives on various aspects of the digital data forensics environment.\n        E. For investigations in which 8 selected CIS agents were the primary CIS agents,\n           verified whether 362 evidence items recorded in the ECMIS were accounted for\n           properly. The verification process was limited because all investigation names\n           relating to grand jury investigations had to be covered from our view. Because we\n           could not handle the evidence items ourselves, we had to rely on the CIS agents to\n           translate names into case numbers and to orally read evidence label information for\n           our use.\nII.     Reviewed documentation regarding CIS agent activity on Fiscal Year 2006 assignments.\n        A. Reviewed monthly time reports for the period October 2005 through February 2007\n           for each CIS agent in the selected field offices to determine the number of hours\n           charged to specific investigations, projects, or other time categories.\n        B. Reviewed relevant case documentation on non-grand jury investigations assigned to\n           the CIS agents visited. Only 11 (12 percent) of the 94 investigations assigned to the\n\n\n3\n There were 30 field offices designated in the ECMIS at the time of our audit. However, the CI Division was in the\nprocess of consolidating some field offices.\n\n\n\n\n                                                                                                         Page 18\n\x0c            While Renowned for Its Forensic Capabilities, the Digital\n         Evidence Program Faces Challenges and Needs More Controls\n\n\n\n   8 CIS agents on the ECMIS were non-grand jury. Of these 11 investigations, 9 were\n   in 1 field office and 6 were assigned to 1 CIS agent. We reviewed paper\n   documentation from the CIS agents\xe2\x80\x99 case files for the 11 non-grand jury\n   investigations to evaluate CIS actions and the timeline of the assignment.\nC. Via letters, requested the assistance of three applicable United States Attorney\xe2\x80\x99s\n   Offices in determining, for grand jury investigations, whether CI Division documents\n   that could be responsive to our audit tests were actually grand jury material.\n\n\n\n\n                                                                                Page 19\n\x0c                   While Renowned for Its Forensic Capabilities, the Digital\n                Evidence Program Faces Challenges and Needs More Controls\n\n\n\n                                                                             Appendix II\n\n                 Major Contributors to This Report\n\nNancy A. Nakamura, Assistant Inspector General for Audit (Headquarters Operations and\nExempt Organizations Programs)\nCarl L. Aley, Director\nJohn R. Wright, Director\nDiana M. Tengesdal, Audit Manager\nTimothy A. Chriest, Lead Auditor\nJoseph P. Smith, Senior Auditor\nAhmed M. Tobaa, Senior Auditor\n\n\n\n\n                                                                                    Page 20\n\x0c                   While Renowned for Its Forensic Capabilities, the Digital\n                Evidence Program Faces Challenges and Needs More Controls\n\n\n\n                                                                             Appendix III\n\n                          Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Services and Enforcement SE\nDirector, Technology Operations and Investigative Services, Criminal Investigation SE:CI:TOIS\nDeputy Director, Technology Operations and Investigative Services, Criminal Investigation\nSE:CI:TOIS\nDirector, Electronic Crimes, Criminal Investigation SE:CI:TOIS:EC\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Planning and Strategy, Criminal Investigation SE:CI:S:PS\n\n\n\n\n                                                                                     Page 21\n\x0c                  While Renowned for Its Forensic Capabilities, the Digital\n               Evidence Program Faces Challenges and Needs More Controls\n\n\n\n                                                                             Appendix IV\n\n                              Glossary of Terms\n\nTerm                          Definition\nArea Lead Investigator        Reports directly to the E-Crimes Director, Field Services.\n                              In direct coordination with the field offices, the Area Lead\n                              Investigator provides national program direction, resource\n                              allocation, knowledgeable oversight, and functional\n                              supervision of CIS agents to ensure timely and quality\n                              workload management, completion of assignments,\n                              training, and support.\nComputer Investigative        An experienced special agent with excellent financial\nSpecialist (CIS)              investigative skills and knowledge of accounting and legal\n                              principles. A CIS agent completes a standardized course of\n                              study in computer evidence recovery and analysis. The\n                              mission of the CIS agent position is to serve as an\n                              investigator who contributes computer expertise to criminal\n                              investigations. A CIS agent is a member of his or her\n                              respective field office and should be used exclusively for\n                              CIS agent assignments.\nCriminal Investigation (CI)   Responsible for investigating alleged violations of criminal\nDivision                      statutes regarding tax administration, which is relatively\n                              evident because of the widely known role of the IRS as the\n                              nation\xe2\x80\x99s tax collection agency. In addition to working tax\n                              evasion cases, IRS agents often work with financial\n                              components of other Government agencies to combat\n                              money laundering, corporate fraud, terrorism financing,\n                              currency reporting violations, narcotics, or other critical\n                              national law enforcement priorities.\nDigital Data                  Information contained on a digital storage device.\nDigital Evidence              Information of investigative value, stored or transmitted in\n                              digital form, that may be relied upon in court.\n\n\n\n\n                                                                                       Page 22\n\x0c                  While Renowned for Its Forensic Capabilities, the Digital\n               Evidence Program Faces Challenges and Needs More Controls\n\n\n\n\nTerm                        Definition\nDiscovery                   A legal term for the pretrial process during which each\n                            party requests relevant information and documents from\n                            the other side, in an attempt to \xe2\x80\x9cdiscover\xe2\x80\x9d pertinent facts.\n                            Discovery methods include depositions, requests for\n                            admissions, document production requests, and requests for\n                            inspection.\nElectronic Crimes           An electronic case management system designed by\nManagement Information      E-Crimes specifically to capture workload data related to\nSystem (ECMIS)              the acquisition of digital evidence from whatever source\n                            and the processing of that evidence by a CIS agent in\n                            support of an investigation.\nElectronic Crimes           The post-of-duty for some E-Crimes Headquarters\nTechnology and Support      management officials and the defacto home location for\nCenter Laboratory           E-Crimes. Laboratory personnel evaluate, test, and\n                            document the effectiveness and validity of computer\n                            forensics procedures, techniques, equipment, and software\n                            used in the data recovery and analysis processes. The\n                            laboratory also develops basic and advanced training\n                            programs for CIS agents.\nField Office                Offices within the five CI Division geographical areas\n                            throughout the country with boundaries that range from a\n                            portion of a single State to inter-State areas. There were\n                            30 CI Division field offices at the time of our audit. Each\n                            field office has a Special Agent in Charge to direct,\n                            monitor, and coordinate the criminal investigation activities\n                            within that office\xe2\x80\x99s area of responsibility. Several\n                            post-of-duty cities are located within each field office.\nField Services Program      Under the Director, Field Services, supervises the Area\n                            Lead Investigators and is responsible for the coordination\n                            and direction of E-Crimes Field Operations nationwide.\nForensics                   Involves obtaining and analyzing information for use as\n                            evidence in court. Computer forensics involves\n                            scientifically analyzing data from digital storage media,\n                            including the recovery of data that users have hidden or\n                            deleted. Investigators often examine digital data not\n                            knowing if the data contain evidence or if any evidence\n                            would be incriminating or would disprove an allegation.\n\n                                                                                    Page 23\n\x0c                While Renowned for Its Forensic Capabilities, the Digital\n             Evidence Program Faces Challenges and Needs More Controls\n\n\n\n\nTerm                       Definition\nHard Drive                 A sealed box containing rigid platters (disks) coated with a\n                           substance capable of storing data magnetically in digital\n                           format. One or more hard drives can be present inside the\n                           case of a computer and can exist in standalone, external\n                           cases attached by cables. A hard drive normally stores\n                           information such as computer programs, text, pictures,\n                           video, and multimedia files.\nImage                      In a data forensics context, a duplicate copy of an entire\n                           digital data storage device exactly as it existed in digital\n                           form. When a computer file is saved, it actually exists in\n                           randomly scattered sectors on the disk rather than in one\n                           continuous block. When a file is retrieved, the scattered\n                           pieces are reassembled from the disk in the device\xe2\x80\x99s\n                           memory and presented as a single file. Imaging copies all\n                           the scattered pieces of various files, even fragments of\n                           deleted files. In contrast, a file-by-file copy merely creates\n                           a copy of reassembled files without including file\n                           fragments.\nLog Data                   As a generic term, refers to a computer application\xe2\x80\x99s\n                           automated recording of user; computer networking; or\n                           computer operating activity that might contain software\n                           installation and setting information, user registration data,\n                           or a running account of a computer process.\nModernization Vision and   A tool to support the fulfillment of the IRS mission and\nStrategy                   strategic goals by establishing a 5-year plan that drives\n                           information technology investment decisions. The\n                           Modernization Strategy issued in October 2006 will guide\n                           the investment priorities of the Business Systems\n                           Modernization program for Fiscal Years 2007 through\n                           2011.\nSpecial Agent              A duly sworn CI Division Federal Government law\n                           enforcement officer trained as a financial investigator.\n\n\n\n\n                                                                                      Page 24\n\x0c        While Renowned for Its Forensic Capabilities, the Digital\n     Evidence Program Faces Challenges and Needs More Controls\n\n\n\n                                                                         Appendix V\n\nElectronic Crimes Program Post-of-Duty Map\n\n\n\n\n   Source: Diagram by E-Crimes (January 2007). ECP = Electronic Crimes Program.\n   SAC = Special Agent in Charge.\n\n                                                                                  Page 25\n\x0c       While Renowned for Its Forensic Capabilities, the Digital\n    Evidence Program Faces Challenges and Needs More Controls\n\n\n\n                                                    Appendix VI\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 26\n\x0c   While Renowned for Its Forensic Capabilities, the Digital\nEvidence Program Faces Challenges and Needs More Controls\n\n\n\n\n                                                       Page 27\n\x0c   While Renowned for Its Forensic Capabilities, the Digital\nEvidence Program Faces Challenges and Needs More Controls\n\n\n\n\n                                                       Page 28\n\x0c   While Renowned for Its Forensic Capabilities, the Digital\nEvidence Program Faces Challenges and Needs More Controls\n\n\n\n\n                                                       Page 29\n\x0c   While Renowned for Its Forensic Capabilities, the Digital\nEvidence Program Faces Challenges and Needs More Controls\n\n\n\n\n                                                       Page 30\n\x0c'